US CISA released the CISA Hunt and Incident Response Program (CHIRP) tool, is a Python-based tool, that allows detecting malicious activity associated with the SolarWinds hackers in compromised on-premises enterprise Windows environments. Below an excerpt of the CISA’s announcement:
“This Alert announces the CISA Hunt and Incident Response Program (CHIRP) tool. CHIRP is a forensics collection tool that CISA developed to help network defenders find indicators of compromise (IOCs) associated with activity detailed in the following CISA Alerts:”
Both alerts are related to SolarWinds attacks against government agencies, critical infrastructure, and private sector organizations.
This isn’t the first tool released by the US CISA to detect indicators of compromise in Microsoft environment, early this year the agency’s Cloud Forensics team released another PowerShell-based tool, dubbed Sparrow, that can that helps administrators to detect anomalies and potentially malicious activities in Azure/Microsoft 365 environments.
Similar to Sparrow, CHIRP scans for signs of APT compromise within an on-premises environment, by default it searches for IOCs associated with malicious activity detailed in AA20-352A and AA21-008A alerts.
The CHIRP tool allows to examine Windows event logs for artifacts associated with this activity, Windows Registry for evidence of intrusion, query Windows network artifacts, and apply YARA rules to detect malware, backdoors, or implants.
“The CISA Hunt and Incident Response Program (CHIRP) is a tool created to dynamically query Indicators of Compromise (IoCs) on hosts with a single package, outputting data in a JSON format for further analysis in a SIEM or other tool. CHIRP does not modify any system data.” reads the description provided on GitHub for the tool.
“The initial IoCs are intended to search for activity detailed in CISA Alert AA21-008A that has spilled into the enterprise environment.”
Currently, the tool scans for:
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, CISA)
[adrotate banner=”5″]
[adrotate banner=”13″]
The FBI, UK National Crime Agency, and Europol revealed the identity of the admin of…
MITRE published more details on the recent security breach, including a timeline of the attack…
Alexander Vinnik, a Russian operator of virtual currency exchange BTC-e pleaded guilty to participating in…
The City of Wichita in Kansas was forced to shut down its computer systems after…
Resecurity found a massive leak involving the exposure of personally identifiable information (PII) of over…
Finland's Transport and Communications Agency (Traficom) warned about an ongoing Android malware campaign targeting bank…
This website uses cookies.